Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SPL: Use regex replacement string multiple times

_Tom
Explorer
‎10-27-2021 01:57 AM

Hello *,

I am looking for an SPL that reads the first part of a string via regex and replaces all occurrences of a certain character with this first part. This is to be used for summary indexing. 

Example:

 

1;A__B
2;B__C__D__A__E
3;G

 

is to be transformed into (each line will become a value in a multivalue field):

 

1;A
1;B
2;B
2;C
2;D
2;A
2;E
3;G

 

Neither replace nor rex seem to be able to afford multiple replacements of this kind. I also tried foreach with some field extractions but failed. Before I write a custom search command for it, I hope for your ideas to solve the problem with some clever standard SPL.  

Thank you in advance for your thoughts!

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-27-2021 02:11 AM 
| makeresults
| eval _raw="1;A__B
2;B__C__D__A__E
3;G"
| multikv noheader=t
| table _raw




| eval first=mvindex(split(_raw,";"),0)
| eval second=split(mvindex(split(_raw,";"),1),"_")
| mvexpand second
| where second!=""
| eval _raw=first.";".second

View solution in original post

Reply
Solved! Jump to solution

_Tom
Explorer
‎10-28-2021 09:03 AM

 

 

Hello @ITWhisperer,

thank you very much for the quick answer, which helped a lot. We need to do the transformation for multiple fields within a complex query. Therefore, the solution had to be adapted somewhat: 

| makeresults 
| eval fieldname1="1;A__B
2;B__C__D__A__E
3;G"
| eval other_fields_1="other_content"

| eval tmp_raw = _raw
| eval _raw=fieldname1 ``` temporarily overwriting _raw with the field value ```
| multikv noheader=t
| table _raw *other_fields* ``` to keep the fields which we still need ```
| eval first=mvindex(split(_raw,";"),0)
| eval second=split(mvindex(split(_raw,";"),1),"__")
| mvexpand second
| eval _raw=first.";".second
| rename _raw as fieldname1
| fields  - first,second
| mvcombine delim="\n" fieldname1 ``` to get a multivalue field ```
| eval _raw = tmp_raw
| table *

Is there a better solution than overwriting _raw with the field value? I also was surprised that creating a multikv.conf file seems not to be required, as it autodetects semicolon as the separator and ignores the underlines.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-29-2021 04:31 AM

You could try rename _raw as tmp_raw and fieldname1 as _raw rather the two assignments but, this is as good a way as any to get multikv to work.

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-27-2021 02:11 AM 
| makeresults
| eval _raw="1;A__B
2;B__C__D__A__E
3;G"
| multikv noheader=t
| table _raw




| eval first=mvindex(split(_raw,";"),0)
| eval second=split(mvindex(split(_raw,";"),1),"_")
| mvexpand second
| where second!=""
| eval _raw=first.";".second
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...